A01 Broken Access Control
IDOR, forced browsing, missing function-level checks. Practice: IDOR labs.
A02 Cryptographic Failures
Weak encryption, exposed secrets, plaintext passwords. Practice: JWT labs with weak secrets.
A03 Injection
SQL, OS command, LDAP injection. Practice: SQLi and command injection labs.
A04-A10 summary
A04 Insecure Design — business logic flaws. A05 Security Misconfiguration — default creds, verbose errors. A06 Vulnerable Components — outdated libraries. A07 Auth Failures — session fixation, weak passwords. A08 Integrity Failures — insecure deserialization. A09 Logging Failures — no audit trail. A10 SSRF — server fetches attacker URLs.
Learning path
One OWASP category per week. Read OWASP doc → Cyfotok lab → write 200-word summary. Complete all ten in 10-12 weeks.